Open topic with navigation
Use this parameter to specify the path to a directory containing multiple CA certificates in PEM format to check against. Each file must contain one CA certificate. The files are looked up by the CA subject name hash value, which must be available. If more than one CA certificate with the same name hash value exists, the extension must be different (for example, 9dd6633f0.0, 9dd6633f0.1, and so on). The search is performed in the order of the extension number, regardless of other properties of the certificates.
As an alternative, you can specify the path to a file containing multiple CA certificates in PEM format. The file can contain certificates identified by sequences like the following example:
... (CA certificate in base64 encoding) ...
You can insert text before, between, and after the certificates to be used as descriptions of the certificates.
Caution: If several CA certificates matching the name, key identifier, and serial number condition are available, only the first one is examined. This might lead to unexpected results if the same CA certificate is available with different expiration dates. If a “certificate expired” verification error occurs, no other certificate is searched. Make sure expired certificates are not mixed with valid ones.
For more information, refer to: http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html.